Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e15e51d84f...bd.dll

windows7-x64

10

e15e51d84f...bd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd.dll

  • Size

    133KB

  • MD5

    b8f6ee37da1463c2c68c45eccb8c3270

  • SHA1

    ab96af06f7f0d8a4499405ca014dd0120432a297

  • SHA256

    e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd

  • SHA512

    9f2808d474e807d95b366a7683ec5186636cef444b2a36164d8c51f9b9bc61652afa38bf6cafa4791b111d59f8f7a34735694bfd1c49092743089c127fef4545

  • SSDEEP

    3072:wixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcdzJO:BANBxIxh0u4TSg7vECzcR0

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd.dll,#1
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\program files (x86)\bwxy\gwxyabcde.gif
    Filesize

    8.2MB

    MD5

    db30eab367a0ecbc1c7d87101587b219

    SHA1

    c0a73fbb47e137632cf14c3161608b4cf31d5e32

    SHA256

    cf42365a6d3b93afa2abcf6df09ecb0370f49e7c7139b3e51954a45830992c53

    SHA512

    7543f50295700385100d82a4d24a5f87331ab420fb2121a2c3ee58504f3d4d748f21a9afdb93d84947a2c1ac8fb19b02eea71aa9158ae33d064b1b83b6b6d196

    Download Submit

  • \Program Files (x86)\Bwxy\Gwxyabcde.gif
    Filesize

    8.2MB

    MD5

    db30eab367a0ecbc1c7d87101587b219

    SHA1

    c0a73fbb47e137632cf14c3161608b4cf31d5e32

    SHA256

    cf42365a6d3b93afa2abcf6df09ecb0370f49e7c7139b3e51954a45830992c53

    SHA512

    7543f50295700385100d82a4d24a5f87331ab420fb2121a2c3ee58504f3d4d748f21a9afdb93d84947a2c1ac8fb19b02eea71aa9158ae33d064b1b83b6b6d196

    Download Submit

  • memory/1644-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

    Filesize

    8KB

    Download